Monday, October 06, 2008

Information warfare and defending organizations from computer espionage

This blog post is about computer-based espionage, and how we can defend our organizations against it. But I'd like to start from a mood piece of sorts.

There has been too much noise about information warfare lately. If we put DDoS (Distributed Denial of Service) and defacement attacks (such as in Estonia [PDF]) out of mind. The following two stories (coincidentally left to rot as Firefox tabs in my browser for the past two months) give a better understanding of what it is really about, without resorting to more scary stories about what China is, or isn't, doing.

We'll also touch on other interesting cases such as the Israeli Trojan horse case, when we talk about defensive measures in defending against computer-based espionage and targeted attacks.

The first is a report (without much detail or proof) on North Korea being involved in operations against South Korea using Trojan horses for espionage:

The second, is a lesson from history called The Farewell Dossier.

From Wikipedia:
The Farewell Dossier was a collection of documents containing intelligence gathered and handed over to NATO by the KGB defector Colonel Vladimir Vetrov (code-named "Farewell") in 1981-1982, during the Cold War.


This information led to a mass expulsion of Soviet technology spies. The CIA also mounted a counter-intelligence operation that transferred modified hardware and software designs over to the Soviets, resulting in the spectacular trans-Siberian incident of 1982. The details of the operation were declassified in 1996.
The resulting explosion was so big, it was supposedly confused for a Nuclear explosion by American decision makers until the CIA said: "oh, that's one of our operations."

A quote from this article puts it in a computer security perspective:
In June 1982, in a remote patch of Russian wilderness, a huge explosion ripped apart a trans-Siberian pipeline.

It wasn't a bomb that destroyed the natural gas pipeline and sent shock waves through the economy of what was then the Soviet Union. Instead, it was a software virus created by the CIA, according to a book by Thomas Reed, a former U.S. Air Force secretary and National Security Council member.
What does this mean?

While incapacitating and destruction-based attacks are certainly of significance, and important to defend against as they impact us directly, regardless of who the attacked party is or where in the world they are (DDoS attacks harm the Internet and its' users), smarter, quieter attacks, are all around us. How do we defend against them?

I expect most information warfare acts to be targeted, quiet, and covert. Espionage, or spying if you like, is not relevant to us unless we are the target. The diplomats and the intelligence communities of different countries can figure it out for us. It is an old occupation, and well covered by international law. Computers are simply another tool, or capability, to be used by these same people. There is nothing new here as far as how the game is played.

And yet, what if you are a target?

Recognizing there is a threat

You may have to defend against computer-based espionage for your own employer. Recent case studies, as well as research, have shown industrial espionage is indeed a big deal, and here are two examples.

One famous case from a few years ago which I had the unfortunate opportunity to study, lead incident response for in the Government, and brief Fortune 100 companies on, is the Israeli Trojan horse case.

Leading IT companies (most of which were local Israeli branches of Fortune 100 companies) were spied on using a Trojan horse built by an incompetent programmer, leaving traces of itself everywhere on the affected systems. This went on for for a long period of time, undetected by any of these companies.

The issue was only detected by chance when the creator of the Trojan horse used it for his own private purposes, and discovered during the investigation into this harassment case. The stolen information was fed directly to their competitors, which was most of the rest of the Israeli IT industry. The services themselves were rendered by civilian intelligence and investigation firms.

In another case Israeli case, the attackers broke into a local branch of the Post Office (also a small bank in Israel) and placed a wireless gateway connected to a switch inside. Through it they stole a few tens of thousands of Shekels in the few days they were in operation (the Israeli Post Office is a sort of a small bank). This case was also broken by complete chance, originally, as nothing was stolen, this was to be ignored by the bank and local authorities.

In other cases, intelligence agencies for various countries, such as France as a prominent example, have been spying on their own to make sure their own local companies have an edge competing with companies from other countries.

Here is an interesting quote from "The Industrious Spies, Industrial Espionage in the Digital Age".
This transition fosters international tensions even among allies. "Countries don't have friends - they have interests!" - screamed a DOE poster in the mid-nineties. France has vigorously protested US spying on French economic and technological developments - until it was revealed to be doing the same. French relentless and unscrupulous pursuit of purloined intellectual property in the USA is described in Peter Schweizer's "Friendly Spies: How America's Allies Are Using Economic Espionage to Steal Our Secrets."
Defending against computer-based espionage

For the purpose of defense, while I'd certainly hope for more resources (read a larger budget) and change my focus on where I apply it--there is no inherent difference in how you defend your organization from computer-based espionage than in protecting against any Joe hacker.

In espionage, the attacker has more resources, both technical and operational. That is the one technical difference, others are motive and legal standing.

Some of what I would do differently

I'd concentrate a bit more of my resources on network behavior analysis (which unfortunately, not many tools exist for, so good network security analysts are the main alternative), as well as on social engineering training and procedures.

Further, I'd prioritize cooperation with the physical security part of the organization, and HR (for personnel screening).

I'd also consider putting up a good deterrent as a cyber security policy. Both to add to the attackers risk, as well as to increase their cost.

First, by doing my job--making myself too difficult of a target in any way available to me, and letting people know about it. Stating the obvious with saying "do your job" is not too helpful, but is solid advice. It is a strong 180 degrees turn from strategies of the 1990's such as "let's not make ourselves a juicy challenge for these kids!"

Second, I'd invest anything I can spare on monitoring my network for anomalies and security incidents, starting with mapping what my network actually looks like. This might add to the risk factor for opponents that can't afford to be caught, and scare them. Covertness is the name of the game, or they would have come through the front door.

Entering am "industrial espionage defense" clause into your budget, or creating a “five year plan” to better protect your organization from organized industrial espionage, may just get you a larger budget to cope with your organization's security needs.

Do you have something you'd do different from (or in addition to) regular security practices when facing espionage from "organized" hackers? Any experience, or thoughts, you can share?

Gadi Evron,

Follow me on twitter!

No comments: